Re: [PATCH v3 7/9] KVM: vmx/pmu: Add Arch LBR emulation and its VMCS field

[Xu, Like]

On 2021/3/5 1:23, Sean Christopherson wrote:
> On Thu, Mar 04, 2021, Xu, Like wrote:
> > On 2021/3/4 1:26, Sean Christopherson wrote:
> > > On Wed, Mar 03, 2021, Like Xu wrote:
> > > > New VMX controls bits for Arch LBR are added. When bit 21 in vmentry_ctrl
> > > > is set, VM entry will write the value from the "Guest IA32_LBR_CTL" guest
> > > > state field to IA32_LBR_CTL. When bit 26 in vmexit_ctrl is set, VM exit
> > > > will clear IA32_LBR_CTL after the value has been saved to the "Guest
> > > > IA32_LBR_CTL" guest state field.
> > > ...
> > >
> > > > @@ -2529,7 +2532,8 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf,
> > > >    	      VM_EXIT_LOAD_IA32_EFER |
> > > >    	      VM_EXIT_CLEAR_BNDCFGS |
> > > >    	      VM_EXIT_PT_CONCEAL_PIP |
> > > > -	      VM_EXIT_CLEAR_IA32_RTIT_CTL;
> > > > +	      VM_EXIT_CLEAR_IA32_RTIT_CTL |
> > > > +	      VM_EXIT_CLEAR_IA32_LBR_CTL;
> > > So, how does MSR_ARCH_LBR_CTL get restored on the host?  What if the host wants
> > > to keep _its_ LBR recording active while the guest is running?
> > Thank you!
> >
> > I will add "host_lbrctlmsr" field to "struct vcpu_vmx" and
> > repeat the update/get_debugctlmsr() stuff.
> I am not remotely confident that tracking LBRCTL via vcpu_vmx is correct, and
> I'm far less confident that the existing DEBUGCTL logic is correct.  As Jim
> pointed out[*], intel_pmu_handle_irq() can run at any time, and it's not at all
> clear to me that the DEBUGCTL coming out of the NMI handler is guaranteed to be
> the same value going in.  Ditto for LBRCTL.

It's not true for "Ditto for LBRCTL".

Because the usage of ARCH_LBR_CTL is specified for LBR,
not the shared case of DEBUGCTL. And all LBR events created from
KVM or host perf syscall are all under the control of host perf subsystem.

The irq handler would restore the original value of the ARCH_LBR_CTL
even it's called after the KVM snapshots DEBUCTL on vCPU load.
The change is transparent to the update_lbrctlmsr() and get_lbrctlmsr().

> Actually, NMIs aside, KVM's DEBUGCTL handling is provably broken since writing
> /sys/devices/cpu/freeze_on_smi is propagated to other CPUs via IRQ, and KVM
> snapshots DEBUCTL on vCPU load, i.e. runs with IRQs enabled long after grabbing
> the value.
>
>    WARNING: CPU: 5 PID: 0 at arch/x86/events/intel/core.c:4066 flip_smm_bit+0xb/0x30
>    RIP: 0010:flip_smm_bit+0xb/0x30
>    Call Trace:
>     <IRQ>
>     flush_smp_call_function_queue+0x118/0x1a0
>     __sysvec_call_function+0x2c/0x90
>     asm_call_irq_on_stack+0x12/0x20
>     </IRQ>

This kind of bug with the keyword "flip_smm_bit" did not appear on the 
mailing list.
Would you mind to share testcases or more details about the steps to 
reproduce ?

> So, rather than pile on more MSR handling that is at best dubious, and at worst
> broken, I would like to see KVM properly integrate with perf to ensure KVM
> restores the correct, fresh values of all MSRs that are owned by perf.  Or at
> least add something that guarantees that intel_pmu_handle_irq() preserves the
> MSRs.  As is, it's impossible to review these KVM changes without deep, deep
> knowledge of what perf is doing.

Jim complained more about the inconsistent maintenance of
MSR_IA32_PEBS_ENABLE between KVM and perf subsystem.

The issue bothers the host due to the subsystem integration,
but the guest's use of PBES will be safe and reliable.

We could cover more details in the guest PEBS enabling thread.

> https://lkml.kernel.org/r/20210209225653.1393771-1-jmattson@xxxxxxxxxx